A Complete Guide To The Shield Security Scans

Shield Security helps you to detect and eliminate Infected/malware files and prevent future hacks completely automatically, using its powerful Hack Guard module which is composed of various components - automatic scanners.

Here, we’ve put together an informative, complete guide to the Shield scans. By following the steps outlined in this guide, you will learn how to

configure scans through Hack Guard module
set email alert reporting from scans
run scans and what to do next
review scan results details & take actions (with examples)

We also answer most common questions related to scans.

Before we get started, please note that the certain scanners & options are available in ShieldPRO only.

#1 Configuration

The first step to do is to configure scanners under the Hack Guard module and this is how to do that...

The 'File Scans and Malware' section

1) Enable 'Automatic WordPress File Scanner' (recommended)

This is a single filesystem scanner which is a combination of the 4 scanners:

WordPress Core File Scan
Unrecognised Core File Scan
[Pro Only] Plugin/Theme Guard Scan
Shield also detects changes in many premium plugins and themes (using crowd-sourced checksum data).
[Pro Only] Malware Scan, including the AI-based Malware scanner.

2) Select file scan areas (recommended)

Select which areas of your WordPress site you want to be scanned.

3) Repair files automatically (optional)

If you're a beginner, best is not to do that for now. We suggest getting familiar with the entire scan process first and then you can let the Shield do this automatically for you later on.

4) Lock files against tampering and changes (recommended)

[Pro Only] Enable ' File Locker'.

This will detect changes to the most important files, then lets you examine contents and revert as required.

5) Auto filter results/scan exclusions (optional)

[Pro Only] You can exclude file/folder paths you don't want to be scanned by the 'Automatic WordPress File Scanner' (optional).

Important: If there is an empty file, it won't show in the scan results. This type of file is irrelevant, does not pose any security risk and will be excluded automatically.

The 'Vulnerabilities, Plugins, Themes' section

1) Enable the 'Abandoned Plugin Scanner' (recommended)

This will scan plugins on your site for whether they've been abandoned.

2) [Pro Only] Enable the ' Vulnerability Scanner ' (recommended)

This will scan your list of the installed plugins/themes and compare their current versions against a list of known plugin/theme vulnerabilities.

[Pro Only] You can also apply updates automatically to vulnerable plugins/themes.

The Scan Options section

1) Optimise file scans (optional)

Enable ' Optimise File Scans' option to optimise file scans to run much faster.

Important: If you experience any errors in your logs or strange scanning behaviour, disable this option.

2) [Pro Only] Set the daily scan frequency (recommended)

To improve security, increase the number of times to run all scans per day.

By default, the hour at which the cron is set to run is 3 a.m. You can override the hour at which the Shield crons run, including the scans by using this filter:

https://gist.github.com/paulgoodchild/6a4d299a21246ca1c058335dfb352a29

3) [Pro Only] Show re-install links (optional)

This will show links to re-install plugins and offer re-install when activating plugins.

#2 Set email alerts from your site scans

This setting can be found under the main Config menu > General Settings > Reporting section.

1) Set Alert Frequency Report (recommended)

Critical alerts are typically results from your most recent site scans. You can choose how often important alerts from scans will be sent to you by email.

#3 Run scans

You can let the scans run automatically for you. How often they'll run depends on your 'Scan Frequency' setting (explained above).

Each time the scans are completed, the results will be displayed in the Scan Results.

If you want to do manual scans, for any reason, you can access the Run Manual Scan option from the Action Menu.

#4 Review scan results details & take actions

So, when the scans are completed (either automatically or manually by you), you'll need to

Review the scan results details through Scan Results page
Take actions (decide what you want to do with them)

Here are examples of the Scan Results page for each scanner and what actions are available.

1) WP Core File Scanner

There are modified and missing WP core files detected.

Before you take any action, best is to review a file first. You can click on it from within scan results table to open it to see the original file content, the differences and other info. Or, download it. For example:

Then you can decide if you want to ignore or repair it. For example:

If ignored, file will be accepted (whitelisted) by the scanner and won't show up in the scan results in a future.

2) Unrecognised File Scanner

Unrecognised files detected in the WP core. Review the file and then you can delete or ignore it. For example:

If you're unsure which unrecognised core files you should keep or delete, talk with your web host and they'll help you determine what's best for your site.

3) Plugin/Theme Guard Scanner - plugin files

Modified plugin file detected. Review the file first and then you can repair or ignore it.

If you personally made changes to this file and you're sure it's legit, you can ignore it.

The unrecognised plugin file can be deleted or ignored.

Example:

If you're unsure which unrecognised plugin files you should keep (ignore) or delete, you may reach out the plugin author and ask them if those files are legit or not. If legit, you can click to ignore them. If not, you can delete.

Plugin/Theme Guard Scanner - theme files

Modified & unrecognised theme files detected. Review the files first. Then, you can repair or ignore modified file, or delete or ignore the unrecognised one.

Example:

Same as for plugin files - if you personally made changes to this theme file and you're sure it's legit, you can ignore it.

If you're unsure which unrecognised theme files you should keep (ignore) or delete, you may reach out the theme author and ask them if those files are legit or not. If legit, you can click to ignore them. If not, you can delete.

4) Vulnerabilities Scanner

Known plugin vulnerabilities detected. You'll need to upgrade plugin to the latest version. Just click the 'Update Available' link and upgrade. If no updates available yet, best is to remove the plugin for now.

There is also a "More Info" link you can use to view the list of vulnerabilities and other info (vulnerabilities lookup). For example:

The vulnerable plugins will be flagged on the Plugins page as well.

5) The Abandoned Plugin Scanner

The abandoned plugin detected. You can ignore it or replace with an alternative because these plugins can pose a security risk.

6) Malware Scanner

WP core, plugin, theme files suspected of being malware.

PHP Malware is a complex topic and scanning for malware is not simple. Please take a moment to read some of the help around this topic.

Also, read about the Shield's AI-based Malware scanner here.

You can check detected files with the AI-based Malware scanner as well. This will give an estimation as to whether a file is malware, or clean of malicious code. For example

So, you can examine these files first and then click to ignore, repair or delete them.

Before you take any action, we highly recommend you to examine the files and read this help article:

Is This Malware?

Example: The unrecognised malware files detected in your core, plugin and theme - delete/ignore actions

7) File Locker

Example of the .htaccess file modified. You can review the changes and accept them, or restore the original file contents.

We hope that the above steps/details were helpful for you. Now, we are going to answer most common questions related to scans...

#5 Most common questions

How can I adjust scanner notices about plugin/theme update/active status?

You can use filters to adjust whether Shield warns about inactive plugins/themes or those with updates.

I received alert report by email. What should I do next?

When you receive this email, you may click the "View Report" link:

It will direct you to the Scan Report page so you can review scan results details.

Example report:

Then, review the scan results and take actions (please see "#4 Review scan results details & take actions" above).

If there is nothing in scan results, please note that, depending on previous actions taken on the site or file system changes, the results received in alert email report may no longer be available to view.

Where can I find the list of files/plugins detected by the scans?

This can be seen in your Activity Log. For example,

Where can I see what files/plugins have been deleted/repaired/updated?

This can be also seen in your Activity Log. Here are a few examples:

Item repaired

Item deleted

Plugin upgraded (i.e. vulnerable plugin)

You'll also be notified by email. For example.

Plugin updated - email notification

Hint: If you need any information about scans activities, best is to use your Activity Log.

How can I get instant alerts on the vulnerable plugins/themes and File Locker changes?

You can use "Instant Alerts" options detailed here.

File is flagged as "malware" but it isn't. What should I do?

If you examined a file and you're sure it's legit, you may click to ignore it in the Scan Results. When you do this, it sends that as a "false positive" signal to ShieldNET, so that in the future it probably won't be picked up on the scans. You may read more about this here.

How can I reveal the ignored scan results?

You can do this by using the 'Clear Ignore Flags' option, under the the Run Manual Scan option (from the main Scans section menu or Action Menu).

Just select this option and click to run scans. The all previously ignored scan results will show up in the Scan Results page.

For example, if you are sure that there is a modified WP core file and that you may have ignored it, use this option to reveal it.

How to un-hide the ignored, repaired and deleted scan results

You can use "Results Display Options" detailed here.

What is the difference between "unrecognised" and "modified" file?

The unrecognised file is a file that's been added to your site. This file is not a part of your original WP core, plugin or theme installation files.

Modified file is a file that's been changed either by you or someone else.

Can I set scanners to auto repair or delete modified/unrecognised files?

You can set scanners to auto repair modified files under the Scans section > Configure > File Scans and Malware > Automatic File Repair.

However, the unrecognised files detected in the WP core, plugins, themes can't be set to auto delete because this is too risky. Maybe you need those files for the normal function of your site and if you auto delete it accidentally, site may break

So, to remove the unrecognised files, you'll need to do that manually through Scan Results page by using either "Delete/Repair Selected" option or "Delete" icon, for example:

How does Shield repair i.e. plugin files?

If the plugin is on wordpress.org then we can download the files. if we can download the files we can replace the files on the site.

If we can replace the files on the site, we can repair the files by removing the existing file and replacing it with the file from wordpress.org.

Where can I find more information about Shield scans?

You may use our Knowledge Base here or use a "Search Box" inside the plugin area or help widget:

Apart from this, there are "info/blog" help links for each of the options, for example

Under the Scans section, there is also a help link for the complete guide to the scans:

If you need help, this is how to reach out to us.